Require specific methods for most endpoints. Closes #9.

Thanks for @meacer for pointing this out.
chromium · May 7, 2016 · 6332dbb · 6332dbb
1 parent d54cd21
commit 6332dbb
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 20 deletions.
diff --git a/Makefile b/Makefile
@@ -10,7 +10,7 @@ build:
 
 .PHONY: format
 format:
-	go fm
+	go fmt
 	# Need to specify non-default clang-format: https://crbug.com/558447
 	/usr/local/bin/clang-format -i -style=Google files/static/js/*.js
 

diff --git a/files/static/js/base.js b/files/static/js/base.js
@@ -22,7 +22,7 @@ URLParam.prototype = {
 var HSTSPreload = function() {}
 
                   HSTSPreload.prototype = {
-  callAPI: function(endpoint, domain) {
+  callAPI: function(method, endpoint, domain) {
     var path = '/' + endpoint + '?domain=' + encodeURIComponent(domain);
     console.log('XHR:', path);
     // TODO: look at response codes.
@@ -34,14 +34,16 @@ var HSTSPreload = function() {}
       req.addEventListener('load', onload);
       req.addEventListener(
           'error', (function(err) { reject(err); }).bind(this));
-      req.open('GET', path);
+      req.open(method, path);
       req.send();
     });
   },
 
-  status: function(domain) { return this.callAPI('status', domain); },
+  status: function(domain) { return this.callAPI('GET', 'status', domain); },
 
-  preloadable: function(domain) { return this.callAPI('preloadable', domain); },
+  preloadable: function(domain) {
+    return this.callAPI('GET', 'preloadable', domain);
+  },
 
-  submit: function(domain) { return this.callAPI('submit', domain); }
+  submit: function(domain) { return this.callAPI('POST', 'submit', domain); }
 };
diff --git a/files/static/js/view.js b/files/static/js/view.js
@@ -17,29 +17,27 @@ var PreloadView = function(submitDomain, urlParam) {
   $('#checkbox-subdomains')
       .addEventListener('change', this._checkboxChangedHandler.bind(this));
 
-  if (location.hash === "") {
+  if (location.hash === '') {
     $('#domain').focus()
   } else {
     this._highlightHash();
   }
-  window.addEventListener("hashchange", this._highlightHash);
+  window.addEventListener('hashchange', this._highlightHash);
 };
 
 PreloadView.prototype = {
   _highlightHash: function() {
-    var highlighted = document.getElementsByClassName("highlight");
+    var highlighted = document.getElementsByClassName('highlight');
     for (var i = 0; i < highlighted.length; i++) {
-      highlighted[i].classList.remove("highlight");
+      highlighted[i].classList.remove('highlight');
     }
 
-    var el = $(location.hash)
-    if (el) {
-      el.classList.add("highlight");
-    }
+    var el = $(location.hash) if (el) { el.classList.add('highlight'); }
   },
 
   _removeHash: function() {
-    history.replaceState({}, document.title, window.location.pathname + window.location.search);
+    history.replaceState(
+        {}, document.title, window.location.pathname + window.location.search);
   },
 
   _checkboxChangedHandler: function(ev) {

diff --git a/server.go b/server.go
@@ -20,10 +20,10 @@ func main() {
 
 	http.HandleFunc("/robots.txt", http.NotFound)
 
-	http.HandleFunc("/preloadable", domainHandler(preloadable))
-	http.HandleFunc("/removable", domainHandler(removable))
-	http.HandleFunc("/status", domainHandler(status))
-	http.HandleFunc("/submit", domainHandler(submit))
+	http.HandleFunc("/preloadable", domainHandler("GET", preloadable))
+	http.HandleFunc("/removable", domainHandler("GET", removable))
+	http.HandleFunc("/status", domainHandler("GET", status))
+	http.HandleFunc("/submit", domainHandler("POST", submit))
 
 	http.HandleFunc("/pending", pending)
 	http.HandleFunc("/update", update)
@@ -45,8 +45,13 @@ func writeJSONOrBust(w http.ResponseWriter, v interface{}) {
 	fmt.Fprintf(w, "%s\n", b)
 }
 
-func domainHandler(handler func(http.ResponseWriter, string)) http.HandlerFunc {
+func domainHandler(method string, handler func(http.ResponseWriter, string)) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != method {
+			http.Error(w, fmt.Sprintf("Wrong method. Requires %s.", method), http.StatusMethodNotAllowed)
+			return
+		}
+
 		unicode := r.URL.Query().Get("domain")
 		if unicode == "" {
 			http.Error(w, "Domain not specified.", http.StatusBadRequest)
@@ -158,6 +163,11 @@ func submit(w http.ResponseWriter, domain string) {
 }
 
 func pending(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "GET" {
+		http.Error(w, fmt.Sprintf("Wrong method. Requires GET."), http.StatusMethodNotAllowed)
+		return
+	}
+
 	names, err := domainsWithStatus(StatusPending)
 	if err != nil {
 		msg := fmt.Sprintf("Internal error: not convert domain to ASCII. (%s)\n", err)
@@ -194,6 +204,8 @@ func difference(from []string, take []string) (diff []string) {
 }
 
 func update(w http.ResponseWriter, r *http.Request) {
+	// In order to allow visiting the URL directly in the browser, we allow any method.
+
 	// Get preload list.
 	preloadList, listErr := chromiumpreload.GetLatest()
 	if listErr != nil {